When the General Data Protection Regulation (GDPR) was introduced, one of the central topics in the media was the possibility of large fines for data protection violations. Art. 83 of GDPR set benchmarks with a maximum fine of 20 million euros (or 4 percent of a company total worldwide turnover if greater), without, however, providing guidelines for calculation or determination of the amount of the fine.
In December 2019, the German Data Protection Conference (DSK) published guidance for the determination and calculation of fines, which will likely be applied in the future by the various data protection authorities of the federal states.
The approach is primarily geared toward the turnover of the relevant company. Five steps are required to determine the specific fine:
The company is categorized into a class (start-up, small, medium, and large company) based on its turnover. The classes are further divided into several subgroups. The classification is based on the total turnover of the company in the previous calendar year.
Following the classification of the company into class and subgroup, the average annual turnover is determined according to the specific sub-group.
The basic economic value of the company is assessed by setting a daily rate. This is done by taking the average annual turnover (step 2), dividing it by 360, and rounding up.
It is only at this stage that the specific infringement is taken into account and classified according to its severity as “slight, medium, severe and very severe.” There is also a division into “formal” and “material.” Formal infringements are specified in Art. 83 (4) GDPR. Material infringements are found in Article 83 (5) and (6) GDPR, and this classification must take into account the specific circumstances of each case, such as the nature, severity, and duration of the infringement. Whether the infringement happened intentionally or due to negligence should also be taken into account. Once the factor is determined, it is multiplied by the daily rate. Note however that for the “very severe” infringements category, a specific factor is not fixed but rather can be freely chosen.
The fifth and last step allows for the fine to be adjusted based on all the circumstances or criteria relating to the offender—which also influence the proceedings. Thus, a discount may be granted due to the particularly long duration of the procedure. It is also possible to take into account that the relevant company is experiencing a particularly precarious economic situation.
Whilst the introduction of standardized rules is welcome, the system appears to be unsuitable. The classification of companies according to their turnover may serve to be too crude and one-sided. In addition, the approach has been accused of leaving too much leeway for the authorities in assessing the specific infringement and does not sufficiently limit fines. This may result in considerably higher fines in the end.
Written by Andre Appel of Ogletree Deakins
© 2020 Ogletree, Deakins, Nash, Smoak & Stewart, P.C.